Validating resolvers for DNS and DNSSEC

older
NZNOG 2014 Videos

Andy Linton

10 Feb 2014 10 Feb '14

3:35 a.m.

At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave a talk on DNSSEC and had some interesting statistics about the use of validating resolvers for DNS and DNSSEC. For DNSSEC to work there are two parts of the equation that need to happen: 1) People need to sign their zones 2) People need to ask the question "is this zone signed" etc. I want to talk about 2) Geoff noted that a number of countries that we might not expect to be high on the list of those validating the responses using the DNSSEC technology were way ahead of the rest of the world. I haven't got the exact numbers here - I expect his presentation will appear shortly and there's likely to be a video of it at some stage at http://www.r2.co.nz/20140130/ - but from memory the global average is about 7% usage of validating resolvers. New Zealand is a dismal <2% and I'd like to challenge you all to do something about that. And we're way behind the Australians.... Geoff pointed out that the high rate elsewhere is due to a large degree to the number of people using Google's Public DNS servers and while that looks attractive and an easy way to improve those numbers I'd ask you not to go down that path. You need to do this yourself (or at least as close as possible to the end user). If you use someone else's resolver then your traffic can be intercepted en route to the validating resolver => man in the middle attack => game over. And of course, handing this data over to a centralised collection agent makes the work of anyone who wants to snoop on you much, much easier. It's not about Google's servers - this applies equally to public servers run by anyone. DNSSEC validation is not real validation unless it's performed end to end or at least as close as possible to that. A number of NZ ISPs provide this service to their customers with their in house resolvers and those of you who don't should really be looking at when you will do this. Those people who have signed their zones are making assertions about how they want their DNS data to be interpreted. They're saying that unless you validate their DNS data they really don't want you to connect to them. You should be taking notice of this. But then maybe you just ignore broken certs on websites etc. So what should you do? End user ======= Check here - http://dnssec.vs.uni-due.de/ Or use - https://www.dnssec-validator.cz/ Ask your ISP/admins to fix this. ISPs/Enterprise ============ If you're running a resolver for customers do the work to get it validating, please.... Plenty of info out there on how to do this for Bind and Unbound and I'm no Windows expert but this looks straightforward: Windows: http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSE...

Attachments:

attachment.htm (text/html — 3.6 KB)

Show replies by date

Don Gould

10 Feb 10 Feb

3:51 a.m.

Andy I'd like to talk more about 1 (while you're talking about 2). Matt Grant is very interested in working on implementation some software he helped build for a number of providers. I'm interested in seeing this and IPv6 pushed into the DTC platform that we use. I think the current road blocks are funding and resource and I'm not quite sure how to solve this. D On 11/02/2014 11:35 a.m., Andy Linton wrote:

...

At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave a talk on DNSSEC and had some interesting statistics about the use of validating resolvers for DNS and DNSSEC.

For DNSSEC to work there are two parts of the equation that need to happen:

1) People need to sign their zones 2) People need to ask the question "is this zone signed" etc.

I want to talk about 2)

Geoff noted that a number of countries that we might not expect to be high on the list of those validating the responses using the DNSSEC technology were way ahead of the rest of the world. I haven't got the exact numbers here - I expect his presentation will appear shortly and there's likely to be a video of it at some stage at http://www.r2.co.nz/20140130/ - but from memory the global average is about 7% usage of validating resolvers.

New Zealand is a dismal <2% and I'd like to challenge you all to do something about that. And we're way behind the Australians....

Geoff pointed out that the high rate elsewhere is due to a large degree to the number of people using Google's Public DNS servers and while that looks attractive and an easy way to improve those numbers I'd ask you not to go down that path. You need to do this yourself (or at least as close as possible to the end user). If you use someone else's resolver then your traffic can be intercepted en route to the validating resolver => man in the middle attack => game over.

And of course, handing this data over to a centralised collection agent makes the work of anyone who wants to snoop on you much, much easier.

It's not about Google's servers - this applies equally to public servers run by anyone. DNSSEC validation is not real validation unless it's performed end to end or at least as close as possible to that. A number of NZ ISPs provide this service to their customers with their in house resolvers and those of you who don't should really be looking at when you will do this.

Those people who have signed their zones are making assertions about how they want their DNS data to be interpreted. They're saying that unless you validate their DNS data they really don't want you to connect to them. You should be taking notice of this. But then maybe you just ignore broken certs on websites etc.

So what should you do?

End user =======

Check here - http://dnssec.vs.uni-due.de/ Or use - https://www.dnssec-validator.cz/

Ask your ISP/admins to fix this.

ISPs/Enterprise ============

If you're running a resolver for customers do the work to get it validating, please....

Plenty of info out there on how to do this for Bind and Unbound and I'm no Windows expert but this looks straightforward:

Windows: http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSE...

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb)

I'M COLLECTING COFFEE CUPS FOR PROJECT COFFEE CUP.

Deja vue (missing the French accent mark) - literally means already seen, that sense of haven't we been here before.

Nathan Ward

3:51 a.m.

On 11/02/2014, at 11:35 am, Andy Linton wrote:

...

At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave a talk on DNSSEC and had some interesting statistics about the use of validating resolvers for DNS and DNSSEC.

For DNSSEC to work there are two parts of the equation that need to happen:

1) People need to sign their zones 2) People need to ask the question "is this zone signed" etc.

I want to talk about 2)

Geoff noted that a number of countries that we might not expect to be high on the list of those validating the responses using the DNSSEC technology were way ahead of the rest of the world. I haven't got the exact numbers here - I expect his presentation will appear shortly and there's likely to be a video of it at some stage at http://www.r2.co.nz/20140130/ - but from memory the global average is about 7% usage of validating resolvers.

New Zealand is a dismal <2% and I'd like to challenge you all to do something about that. And we're way behind the Australians....

Geoff pointed out that the high rate elsewhere is due to a large degree to the number of people using Google's Public DNS servers and while that looks attractive and an easy way to improve those numbers I'd ask you not to go down that path. You need to do this yourself (or at least as close as possible to the end user). If you use someone else's resolver then your traffic can be intercepted en route to the validating resolver => man in the middle attack => game over.

And of course, handing this data over to a centralised collection agent makes the work of anyone who wants to snoop on you much, much easier.

It's not about Google's servers - this applies equally to public servers run by anyone. DNSSEC validation is not real validation unless it's performed end to end or at least as close as possible to that. A number of NZ ISPs provide this service to their customers with their in house resolvers and those of you who don't should really be looking at when you will do this.

Those people who have signed their zones are making assertions about how they want their DNS data to be interpreted. They're saying that unless you validate their DNS data they really don't want you to connect to them. You should be taking notice of this. But then maybe you just ignore broken certs on websites etc.

So what should you do?

End user =======

Check here - http://dnssec.vs.uni-due.de/ Or use - https://www.dnssec-validator.cz/

Ask your ISP/admins to fix this.

ISPs/Enterprise ============

If you're running a resolver for customers do the work to get it validating, please....

Plenty of info out there on how to do this for Bind and Unbound and I'm no Windows expert but this looks straightforward:

Windows: http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSE...

I’ve been talking about this with one of my customers recently, and there’s a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don’t work' while the other ISP does. Is there public data available re. this? Does it likely vary much for NZ? I think unbound can be configured to only log when validation fails rather than actually acting on it in a negative way, so I imagine it’s not hard to figure out.. thinking out loud here we’d probably want some full query logging to get some useful stats - i.e. this zone that breaks is looked at by x% of customers, and it is y% of total unique zones queried, etc. Thinking out loud here. Good chance that all the problems around this have disappeared these days, but, it’d be interesting to find out. (note, I haven’t Googled yet :) — Nathan Ward

Sebastian Castro

4:19 a.m.

On 11/02/14 11:51, Nathan Ward wrote:

...

On 11/02/2014, at 11:35 am, Andy Linton mailto:asjl(a)lpnz.org> wrote:

Hi Nathan,

...

I’ve been talking about this with one of my customers recently, and there’s a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don’t work' while the other ISP does.

Is there public data available re. this? Does it likely vary much for NZ? I think unbound can be configured to only log when validation fails rather than actually acting on it in a negative way, so I imagine it’s not hard to figure out.. thinking out loud here we’d probably want some full query logging to get some useful stats - i.e. this zone that breaks is looked at by x% of customers, and it is y% of total unique zones queried, etc. Thinking out loud here.

Based on a chat here and there with people running validating resolvers, they haven't had major problems because the deployment base is not that big. However, Comcast had issues at some point when, by different reasons, some .gov domain names that were signed became unavailable due to failed validation. The software they use implements a feature called "negative trust anchor", which defines a "white list" of domains that you don't want to be validated. That can be used to survive an event when a major domain fails validation and you want your users to still see it. My understanding is Unbound also implements this, but I haven't tested it yet.

...

Good chance that all the problems around this have disappeared these days, but, it’d be interesting to find out.

Cheers,

...

(note, I haven’t Googled yet :)

— Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Sebastian Castro Technical Research Manager .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535

Dean Pemberton

4:20 a.m.

Dave Mill (Inspire) stood up at NZNOG and clearly said that for them that never happened. Just turn it on. On Tue, Feb 11, 2014 at 11:51 AM, Nathan Ward wrote:

...

On 11/02/2014, at 11:35 am, Andy Linton wrote:

At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave a talk on DNSSEC and had some interesting statistics about the use of validating resolvers for DNS and DNSSEC.

For DNSSEC to work there are two parts of the equation that need to happen:

1) People need to sign their zones 2) People need to ask the question "is this zone signed" etc.

I want to talk about 2)

Geoff noted that a number of countries that we might not expect to be high on the list of those validating the responses using the DNSSEC technology were way ahead of the rest of the world. I haven't got the exact numbers here - I expect his presentation will appear shortly and there's likely to be a video of it at some stage at http://www.r2.co.nz/20140130/ - but from memory the global average is about 7% usage of validating resolvers.

New Zealand is a dismal <2% and I'd like to challenge you all to do something about that. And we're way behind the Australians....

Geoff pointed out that the high rate elsewhere is due to a large degree to the number of people using Google's Public DNS servers and while that looks attractive and an easy way to improve those numbers I'd ask you not to go down that path. You need to do this yourself (or at least as close as possible to the end user). If you use someone else's resolver then your traffic can be intercepted en route to the validating resolver => man in the middle attack => game over.

And of course, handing this data over to a centralised collection agent makes the work of anyone who wants to snoop on you much, much easier.

It's not about Google's servers - this applies equally to public servers run by anyone. DNSSEC validation is not real validation unless it's performed end to end or at least as close as possible to that. A number of NZ ISPs provide this service to their customers with their in house resolvers and those of you who don't should really be looking at when you will do this.

Those people who have signed their zones are making assertions about how they want their DNS data to be interpreted. They're saying that unless you validate their DNS data they really don't want you to connect to them. You should be taking notice of this. But then maybe you just ignore broken certs on websites etc.

So what should you do?

End user =======

Check here - http://dnssec.vs.uni-due.de/ Or use - https://www.dnssec-validator.cz/

Ask your ISP/admins to fix this.

ISPs/Enterprise ============

If you're running a resolver for customers do the work to get it validating, please....

Plenty of info out there on how to do this for Bind and Unbound and I'm no Windows expert but this looks straightforward:

Windows: http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSE...

I've been talking about this with one of my customers recently, and there's a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don't work' while the other ISP does.

Is there public data available re. this? Does it likely vary much for NZ? I think unbound can be configured to only log when validation fails rather than actually acting on it in a negative way, so I imagine it's not hard to figure out.. thinking out loud here we'd probably want some full query logging to get some useful stats - i.e. this zone that breaks is looked at by x% of customers, and it is y% of total unique zones queried, etc. Thinking out loud here.

Good chance that all the problems around this have disappeared these days, but, it'd be interesting to find out.

(note, I haven't Googled yet :)

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Glen Eustace

4:25 a.m.

On 02/11/2014 12:20 PM, Dean Pemberton wrote:

...

Dave Mill (Inspire) stood up at NZNOG and clearly said that for them that never happened.

Just turn it on.

While I freely admit to not having a huge audience, I haven't had anyone contact us with an issue that might be related to having our godzone.net.nz signed, perhaps Michael from Unleash might comment as well as unleash.net.nz is signed as well. I use a plugin for Chrome, 'DNSSec Validator' which gives a user eye view of what is signed. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Glen Eustace, GodZone Internet Services, a division of AGRE Enterprises Ltd., P.O. Box 8020, Palmerston North, New Zealand 4446 Ph: +64 6 357 8168, Fax: +64 6 357 8165, Mob: +64 27 542 4015 "A Ministry specialising in providing low-cost professional Internet Services to NZ Christian Churches, Ministries and Organisations"

Michael Fincham

4:31 a.m.

On Tue, 11 Feb 2014 12:25:10 +1300, Glen Eustace wrote:

...

perhaps Michael from Unleash might comment as well as unleash.net.nz is signed as well

No problems so far that I can point to as a result of unleash.net.nz being signed. We've been monitoring it and haven't had any oopses with the signing yet that we've spotted (which is not to say that there haven't been a few unfortunate cases more generally, dns-oarc has a few good ones documented). I've had some problems with my personal empire (hotplate.co.nz) but all I can really say of that is "don't run your signing infrastructure on a netbook at your house with no backups". The worst fallout from that was ~ 1 hour where my mailman lists wouldn't talk to Gmail while I replaced DS records, re-signed and went back to ignoring it :) I did have to wait until just as the ZSK was expiring to try minimise the impact of this. Obviously the unleash.net.nz signing is being carried out on slightly more appropriate kit 8^) -- Michael

Dave Mill

4:51 a.m.

Yeah, to repeat what I mentioned briefly at NZNOG for the benefit of people that didn't attend. We turned on dnssec support on our unbound resolvers in June 2011. We've have had no known issues from doing this at all. It was a simple 5 minute change. Also, because occasional "dns weirdness" tickets get to us from the helpdesk I'd like to think that any issues that could occur are not just getting lost in the matrix. Cheers Dave On Tue, Feb 11, 2014 at 12:20 PM, Dean Pemberton wrote:

...

Dave Mill (Inspire) stood up at NZNOG and clearly said that for them that never happened.

Just turn it on.

Tony Wicks

5:21 a.m.

10,000+ customers resolving with DNSSEC enabled caches and we have noticed no issues with it. The only thing we had to do is disable the DNS sec error logging as it was a lot of noise. category dnssec { null; }; dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; Tony, Flip -----Original Message----- From: Dean Pemberton Sent: Tuesday, February 11, 2014 12:20 PM To: Nathan Ward Cc: NZNOG List Subject: Re: [nznog] Validating resolvers for DNS and DNSSEC Dave Mill (Inspire) stood up at NZNOG and clearly said that for them that never happened. Just turn it on. On Tue, Feb 11, 2014 at 11:51 AM, Nathan Ward wrote:

...

On 11/02/2014, at 11:35 am, Andy Linton wrote:

At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave a talk on DNSSEC and had some interesting statistics about the use of validating resolvers for DNS and DNSSEC.

For DNSSEC to work there are two parts of the equation that need to happen:

1) People need to sign their zones 2) People need to ask the question "is this zone signed" etc.

I want to talk about 2)

Geoff noted that a number of countries that we might not expect to be high on the list of those validating the responses using the DNSSEC technology were way ahead of the rest of the world. I haven't got the exact numbers here - I expect his presentation will appear shortly and there's likely to be a video of it at some stage at http://www.r2.co.nz/20140130/ - but from memory the global average is about 7% usage of validating resolvers.

New Zealand is a dismal <2% and I'd like to challenge you all to do something about that. And we're way behind the Australians....

Geoff pointed out that the high rate elsewhere is due to a large degree to the number of people using Google's Public DNS servers and while that looks attractive and an easy way to improve those numbers I'd ask you not to go down that path. You need to do this yourself (or at least as close as possible to the end user). If you use someone else's resolver then your traffic can be intercepted en route to the validating resolver => man in the middle attack => game over.

And of course, handing this data over to a centralised collection agent makes the work of anyone who wants to snoop on you much, much easier.

It's not about Google's servers - this applies equally to public servers run by anyone. DNSSEC validation is not real validation unless it's performed end to end or at least as close as possible to that. A number of NZ ISPs provide this service to their customers with their in house resolvers and those of you who don't should really be looking at when you will do this.

Those people who have signed their zones are making assertions about how they want their DNS data to be interpreted. They're saying that unless you validate their DNS data they really don't want you to connect to them. You should be taking notice of this. But then maybe you just ignore broken certs on websites etc.

So what should you do?

End user =======

Check here - http://dnssec.vs.uni-due.de/ Or use - https://www.dnssec-validator.cz/

Ask your ISP/admins to fix this.

ISPs/Enterprise ============

If you're running a resolver for customers do the work to get it validating, please....

Plenty of info out there on how to do this for Bind and Unbound and I'm no Windows expert but this looks straightforward:

Windows: http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSE...

I've been talking about this with one of my customers recently, and there's a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don't work' while the other ISP does.

Is there public data available re. this? Does it likely vary much for NZ? I think unbound can be configured to only log when validation fails rather than actually acting on it in a negative way, so I imagine it's not hard to figure out.. thinking out loud here we'd probably want some full query logging to get some useful stats - i.e. this zone that breaks is looked at by x% of customers, and it is y% of total unique zones queried, etc. Thinking out loud here.

Good chance that all the problems around this have disappeared these days, but, it'd be interesting to find out.

(note, I haven't Googled yet :)

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Nathan Ward

5:44 a.m.

On 11/02/2014, at 1:21 pm, Tony Wicks wrote:

...

10,000+ customers resolving with DNSSEC enabled caches and we have noticed no issues with it. The only thing we had to do is disable the DNS sec error logging as it was a lot of noise.

category dnssec { null; };

dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;

Error logging isn’t something I’d want to ignore. What sort of errors were you seeing? — Nathan Ward

Tony Wicks

6:26 a.m.

Here you go - Feb 11 14:24:31 ns2 named[5927]: validating @0x7f1d48226850: fhr.data.mozilla.com A: no valid signature found Feb 11 14:24:31 ns2 named[5927]: validating @0x7f1d4a56b910: gks3ve6q998vi7v3llirpk67eh1rpm81.mozilla.com NSEC3: no valid signature found Feb 11 14:25:09 ns2 named[5927]: validating @0x7f1d481cbce0: hollywoodreporter.myshopify.com A: no valid signature found Feb 11 14:25:11 ns2 named[5927]: validating @0x7f1d507226f0: valetmag.myshopify.com A: no valid signature found Feb 11 14:25:16 ns2 named[5927]: validating @0x7f1d402b2c10: furniture-zone.myshopify.com A: no valid signature found Feb 11 14:25:27 ns2 named[5927]: validating @0x7f1d48226850: preferences-mgr.truste.com A: no valid signature found Feb 11 14:25:38 ns2 named[5927]: validating @0x7f1d48226850: beastmodecoaching.myshopify.com A: no valid signature found Feb 11 14:25:38 ns2 named[5927]: validating @0x7f1d429a96d0: legendsofaesthetics.myshopify.com A: no valid signature found -----Original Message----- From: Nathan Ward Sent: Tuesday, February 11, 2014 1:44 PM To: Tony Wicks Cc: NZNOG List Subject: Re: [nznog] Validating resolvers for DNS and DNSSEC On 11/02/2014, at 1:21 pm, Tony Wicks wrote:

...

10,000+ customers resolving with DNSSEC enabled caches and we have noticed no issues with it. The only thing we had to do is disable the DNS sec error logging as it was a lot of noise.

category dnssec { null; };

dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;

Error logging isn’t something I’d want to ignore. What sort of errors were you seeing? — Nathan Ward

Michael Fincham

4:21 a.m.

Hi Nathan, List, On Tue, 11 Feb 2014 11:51:14 +1300, Nathan Ward wrote:

...

I’ve been talking about this with one of my customers recently, and there’s a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don’t work' while the other ISP does.

Is there public data available re. this? Does it likely vary much for NZ?

Acknowleding that we don't really service a lot of "eyeballs" customers compared to others who are deeper in to the residential/SOHO markets, and that I'm yet to properly bother collecting hard numbers for this (mostly because so far nobody has complained), I don't think we've had a single support call about DNSSEC validation failure false positive yet. We've been running validating unbound resolvers in front of our broadband customers (including a couple of WISPs who borrowed our recursor infrastructure) since (I believe) around February of 2012, looking at our change management system. -- Michael Fincham System Administrator, Unleash

Ewen McNeill

5:37 a.m.

On 2014-02-11 11:51 , Nathan Ward wrote:

...

On 11/02/2014, at 11:35 am, Andy Linton wrote:

...
[Validated your DNSSEC]

I’ve been talking about this with one of my customers recently, and there’s a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don’t work' while the other ISP does.

I too have customers like that, who decided "not validating" was safer. So I asked Geoff about bad signing situations. He pointed out that particularly since Google have been validating (for 8.8.8.8) for 6+ months, any bad signing situations either tend not to persist for very long (ie, it's not just broken for you!), or are unimportant (ie, basically no one noticed so it never got fixed). IIRC Geoff said that someone at (I think) University of Cambridge was keeping stats on broken DNSSEC and how long it persisted, but I haven't tracked down the reference. I came away from that discussion with Geoff, and comments from Inspire/Unleash/etc with the impression that just turning on DNSSEC validation is pretty safe these days, and ought to be the default. It's certainly on my "to follow up early this year" list. Ewen

Nathan Ward

5:43 a.m.

On 11/02/2014, at 1:37 pm, Ewen McNeill wrote:

...

On 2014-02-11 11:51 , Nathan Ward wrote:

...
On 11/02/2014, at 11:35 am, Andy Linton wrote:

...
[Validated your DNSSEC]

I’ve been talking about this with one of my customers recently, and there’s a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don’t work' while the other ISP does.

I too have customers like that, who decided "not validating" was safer. So I asked Geoff about bad signing situations. He pointed out that particularly since Google have been validating (for 8.8.8.8) for 6+ months, any bad signing situations either tend not to persist for very long (ie, it's not just broken for you!), or are unimportant (ie, basically no one noticed so it never got fixed). IIRC Geoff said that someone at (I think) University of Cambridge was keeping stats on broken DNSSEC and how long it persisted, but I haven't tracked down the reference.

I came away from that discussion with Geoff, and comments from Inspire/Unleash/etc with the impression that just turning on DNSSEC validation is pretty safe these days, and ought to be the default. It's certainly on my "to follow up early this year" list.

Awesome, this is good info.

Michael Fincham

4:15 a.m.

On Tue, 11 Feb 2014 11:35:08 +1300, Andy Linton wrote:

...

If you're running a resolver for customers do the work to get it validating, please....

I'm happy to volunteer some time in my personal capacity for anyone who needs a hand getting unbound up and running with validation - or for that matter PowerDNS for live signing. unbound especially is very easy to get running & signing :) -- Michael Fincham

Michael Fincham

4:21 a.m.

On Tue, 11 Feb 2014 12:15:07 +1300, Michael Fincham wrote:

...

unbound especially is very easy to get running & signing :)

s/signing/validating/ Fingers faster than brain, it seems. -- Michael

Sebastian Castro

4:25 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/02/14 12:15, Michael Fincham wrote:

...

On Tue, 11 Feb 2014 11:35:08 +1300, Andy Linton wrote:

...
If you're running a resolver for customers do the work to get it validating, please....

I'm happy to volunteer some time in my personal capacity for anyone who needs a hand getting unbound up and running with validation - or for that matter PowerDNS for live signing.

unbound especially is very easy to get running & signing :)

For those not present in NZNOG14, I gave a lightning talk about how easy was to setup unbound on a Raspberry PI to serve the NZNOG wireless network. We could have get away with it unnoticed with a more powerful box, the RPi couldn't handle the load properly and timed out on some users under heavy load (lunch time). Also, I gave a tutorial about OpenDNSSEC to teach how to do the signing. If anyone needs help with that, let us know. Cheers,

...

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

- -- Sebastian Castro Technical Research Manager .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlL5X9EACgkQWyqRrHcQWTnwKgCfY/49SgaE8pbJ4m2AchLQzA37 LxEAn2VqCvw0aZMrmWkhH9I6ioteQqJa =zkrV -----END PGP SIGNATURE-----

Jay Daley

4:15 a.m.

Andy On 11/02/2014, at 11:35 am, Andy Linton wrote:

...

Those people who have signed their zones are making assertions about how they want their DNS data to be interpreted. They're saying that unless you validate their DNS data they really don't want you to connect to them.

What?!! Well it's the first time I've ever heard that said. Jay -- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley

3968

Age (days ago)

3968

Last active (days ago)

List overview

Download

17 comments

11 participants

participants (11)

Andy Linton
Dave Mill
Dean Pemberton
Don Gould
Ewen McNeill
Glen Eustace
Jay Daley
Michael Fincham
Nathan Ward
Sebastian Castro
Tony Wicks